Personal Data Protection in Hong KongPersonal Data Protection in Hong Kong
The protection of personal data is a key aspect of Hong Kong’s position as one of the world’s leading international financial and technology hubs. The Hong Kong economy is driven by pillar industries such as financial services & insurance, trading and logistics, as well as emerging service sectors like high frequency stock trading, e-commerce and cloud computing.
These businesses need a high degree of connectivity to access networks and business partners. Our carrier-dense, high-performance network hubs offer diverse connectivity options to support their data center needs. Hong Kong provides strong, reliable and scalable infrastructure to host and connect their digital supply chains. As a result, our customers can benefit from the region’s robust and highly secure business environment, with a dense concentration of enterprises, networks and IT service providers.
While it is widely accepted that there is a need to modernise our data protection framework, the reality is that there has been no movement towards this at the policy level. There are a number of reasons for this, including perceived adverse impact on businesses and difficulties in achieving compliance.
In the meantime, businesses need to continue to focus on best practice and ethical standards in their governance of personal data. This is especially important when it comes to cross-border personal data transfers.
As a general rule, the Hong Kong definition of “personal data” is consistent with international norms and includes any information that can be used to identify an individual. This can be in a form that is practicable to identify an individual from, for example, the name and contact details of a person, as well as information that forms part of a database where the individual can be identified by reference to other information.
Under the PDPO, it is the responsibility of the data user to ensure that they have lawful grounds for collecting personal data. This requires a detailed understanding of the purposes for which personal data is collected, and how this will be used. In addition, the data user is required to notify the personal data of any transfer of data to a third party and the classes of persons to whom the data will be transferred. This obligation is fulfilled by the provision of a Personal Information Collection Statement (“PICS”) to the individual prior to the collection of their personal data.
When it comes to the transfer of personal data outside Hong Kong, section 33 prohibits the transfer unless certain conditions are met. However, a number of legal exemptions exist for this. These include:
It is also worth noting that the PCPD has recently published guidance on transfer impact assessments and recommended model clauses to be included in contracts. While these do not represent a mandatory requirement under Hong Kong law, there is a growing number of circumstances in which a Hong Kong data importer will need to agree to them, most commonly where they are the data importer of personal data of EEA persons from a data exporter in the EEA.